<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>Countering Spoofing Attempts</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2012</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>Introduction</title>

    <para><firstterm>Spoofing</firstterm> is the practice of sending packets
    with a forged source address in an attempt to circumvent security
    measures. Shorewall supports a variety of measures to counter spoofing
    attacks.</para>
  </section>

  <section>
    <title>The <emphasis>routefilter</emphasis> Interface Option</title>

    <para>This <ulink url="???">shorewall-interfaces</ulink> (5) option was
    the first measure implemented and uses
    <filename>/proc/sys/net/ipv4/conf/*/rp_filter</filename>. Many
    distributions set this option by default for all ip interfaces. The option
    works by determining the reverse path (the route from the packets
    destination to its source); it that route does not go out through the
    interface that received the packet, then the packet is declared to be a
    martian and is dropped. A kernel log message is generated if the
    interface's <option>logmartians</option> option is set
    (<filename>/proc/sys/net/ipv4/conf/*/log_martians</filename>).</para>

    <para>While this option is simple to configure, it has a couple of
    disadvantages:</para>

    <itemizedlist>
      <listitem>
        <para>It is not supported by IPv6.</para>
      </listitem>

      <listitem>
        <para>It does not use packet marks so it doesn't work with some <ulink
        url="MultiISP.html">Multi-ISP</ulink> configurations.</para>
      </listitem>

      <listitem>
        <para>The log messages produces are obscure and confusing.</para>
      </listitem>
    </itemizedlist>
  </section>

  <section>
    <title>Hairpin Filtering</title>

    <para>Spoofing can be used to exploit Netfilter's connection tracking to
    open arbitrary firewall ports. Attacks of this type establish a connection
    to a server that uses separate control and data connections such as an FTP
    server. It then sends a packet addressed to itself and from the server.
    Such packets are sent back out the same interface that received them
    (<firstterm>hairpin</firstterm>). In cases where the
    <option>routerfilter</option> option can't be used, Shorewall 4.4.20 and
    later will set up hairpinning traps (see the SFILTER_DISPOSITION and
    SFILTER_LOG_LEVEL options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>

    <para>This automatic hairpin trapping is disabled on interfaces with the
    <option>routeback</option> option.</para>
  </section>

  <section>
    <title>The <emphasis>rpfilter</emphasis> Interface Option</title>

    <para>A new iptables/ip6tables match (rpfilter) was added in kernel 3.4.4.
    This match performs reverse path evaluation similar to
    <option>routefilter</option> but without the disadvantages:</para>

    <itemizedlist>
      <listitem>
        <para>It is supported by both IPv4 and IPv6.</para>
      </listitem>

      <listitem>
        <para>It uses packet marks so it works with all <ulink
        url="MultiISP.html">Multi-ISP</ulink> configurations.</para>
      </listitem>

      <listitem>
        <para>It produces standard Shorewall/Netfilter log messages controlled
        by the RPFILTER_LOG_LEVEL option in <ulink
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
      </listitem>

      <listitem>
        <para>Both the disposition and auditing can be controlled using the
        RPFILTER_DISPOSITION option in <ulink
        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
      </listitem>
    </itemizedlist>
  </section>
</article>